Potential information leaks due to the use of non constant-time encoding routines #637
Labels
triage/analyze
Feature Request that need to be analyzed
Comments
|
Hello, I'm glad to know you're interested in auditing sysPass :) Regarding this notice, that method is not used to generate cryptographic keys, because they're only generated by defuse library. This method is only used to get some secrets that won't be used on any cryptographic routine. Thanks for the feedback! |
nuxsmin
added a commit
that referenced
this issue
Jun 15, 2017
…he-timing attacks (this does not affec to to cryptographic functions, which were already safe). Thanks to @LeSuisse for the feedback. * [MOD] Temporary master password will never be saved in the event log.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
It seems the software uses encoding routines that do not run in constant-time on secrets. This is generally something that is avoided on application dealing with cryptography since it might lead to the leak of secrets due to cache timing attack.
One example in this codebase:
Util::generateRandomBytes(): returned value is passed intobin2hexand then used as IV, secrets…You can get more information on this in the following blog post from ParagonIE: https://paragonie.com/blog/2016/06/constant-time-encoding-boring-cryptography-rfc-4648-and-you
The text was updated successfully, but these errors were encountered: